Many organizations struggle in applying DevSecOps practices and principles in a cybersecurity-constrained environment because programs lack a consistent basis for managing software intensive development, cybersecurity, and operations in a high-speed lifecycle. We will discuss how an authoritative reference, or Platform Independent Model (PIM), is needed to fully design and execute an integrated DevSecOps strategy in which all stakeholder needs are addressed, such as engineering security into all aspects of the DevSecOps pipeline to include both the pipeline and the deployed system. We will discuss how a PIM of a DevSecOps system can be used to

1. Specify the DevSecOps requirements to the lead system integrators who need to develop a platform-specific solution that includes the system and CI/CD pipeline.
2. Assess and analyze alternative pipeline functionality and feature changes as the system evolves.
3. Apply DevSecOps methods to complex systems that do not follow well-established software architectural patterns used in industry.
4. Provide a basis for threat and attack surface analysis to build a cyber assurance case in order to demonstrate that the software system and DevSecOps pipeline are sufficiently free from vulnerabilities and function only as intended

What attendees will learn

Plenty of guidelines exist to implement DevSecOps, but many of the decisions are left to each organization to implement and require a considerable amount of interpretation and often results in confusion. Attendees will understand how a DevSecOps PIM can be used to provide

• Consistent guidance and modeling capability that ensure all proper layers and development concerns are captured
• The model-based engineering of DevSecOps is included in the system model. This allows proper modeling of DevSecOps design trades resulting in less costly systems.
• Metrics and documentation of tradeoffs are captured and analyzed through the model-based engineering platform—PIM and will explicitly identify points that should be addressed or mitigated as well as mechanisms to manage coverage of the points. The model will provide dynamic matrices of whether those points were addressed, how they were addressed, and how well the corresponding (to the points) module is covered.
• Risk modeling against decisions and DevSecOps model-based engineering to ensure security controls and processes are properly selected and deployed.

Who should attend?

• DevSecOps engineers
• program managers
• system engineers
• anyone interested in establishing or improving a DevSecOps CI/CD pipeline

About the Speakers

Aaron Reffett is a senior member of the technical staff in the CERT Security Automation Systems Technical Manager at CMU’s SEI. He develops and operates software systems for the analysis of cyber-related data in support of DoD and DHS programs. In addition, he provides support to DoD program offices transitioning from traditional software development to Agile and DevSecOps in the areas of software assurance and cybersecurity. He holds a BS in Computer Science and BA in Political Science from Virginia Tech.

Nataliya Shevchenko is a member of the at CMU’s SEI, working in its CERT Division. She specializes in system engineering, model-based system engineering (MBSE) and threat modeling methods. She has a breadth of experience across the software development lifecycle for more than 20 years. Prior to joining the SEI, she worked in the teleconferencing, railroad, and banking industries. She holds MS degrees in software engineering from Carnegie Mellon University, and BS and MS degrees in mathematics from Donetsk State University in Ukraine.

Joseph Yankel is a senior engineer and initiative lead of the DevSecOps Innovations team at the SEI. His current work is focused on analyzing and improving the DevSecOps posture of organizations working with the SEI.